These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Timestamp server for Acrobat 9 Pro Extended

Forum Index > Security > Timestamp server for Acrobat 9 Pro Extended
2008-09-03 11:51:50
derkosak
Registered: Sep 3 2008
Posts: 6

Hi,
I'm trying to create a simple TSP server for use with Acrobat 9 Pro Extended, but it seems Acrobat does not 'recognize' my responses.
Here's what I'm trying to do:
1. Upon receiving the request, I strip [i]Content-Length[/i] bytes from the end of the request, which looks like a DER-encoded request.
2. Send the DER-encoded request to the timestamp generator (now it's on my own machine, but will later be a HSM), get response back.
3. Get the DER-encoded version of the response and append it to a HTTP 1.1 response built like this:

HTTP/1.1 200 OK
Content-Type: application/timestamp-reply
Content-Length: 1756
(DER-encoded response...)

I've also tried to make the response like:
HTTP/1.1 200 OK
Server: Makeshift TS_Server
Keep-Alive: timeout=5, max=100
Date: Wed, 03 Sep 2008 17:40:37 GMT
Connection: Keep-Alive
Content-Length: 1756
Content-Type: application/timestamp-reply
(DER-encoded response...)

But Acrobat doesn't seem to accept any of them, it simply says something like "Transaction timed out" after trying 3 times.
If someone needs/wants to take a look at the request/response, I've uploaded them here: http://www.inf.ufsc.br/~kas/ts/ , the .tsq and .tsr files.
I hope someone can point me to some direction here, I'm quite lost.
TIA,
Khristian.

My Product Information:
Acrobat Pro Extended 9.0, Windows
Top
2008-09-06 14:47:37
#1
plevy
Expert
Registered: Jul 8 2008
Posts: 80
You might want to check out the Open TSA open source project at http://www.opentsa.org/

They also have a public server and you might be able to compare what you are sending with what it sends. There may be other servers you can also try.

Acrobat supports RFC 3161 TSP compliant time stamp servers.

Also, if you are using a non-default port, make sure any firewalls are not blocking that port as this can cause confusing problems.
Top
2008-09-06 18:38:02
#2
derkosak
Registered: Sep 3 2008
Posts: 6
I have a server on my network running Apache with the mod_tsa that OpenTSA provides, and it works. Using wireshark, I checked the headers that were sent, and added them to my program (second section of code on my first post). But it didn't work.
I checked the communication between Acrobat and my server, and it seems the response is a bit slow . They do the tcp handshake and Acrobat sends the query, but doesn't wait long enough for the response so a second query is sent, right before the response to the first is sent.
I don't know if the packet is too big (it gets easily larger than 2000 bytes), or what is happening, it simply ignores the packets that are sent.
Also, if I close the server in the middle of the transaction or send garbage, it simply generates the timestamp locally and gives a warning later.
More ideas are greatly appreciated :)
Top
2008-09-06 19:00:02
#3
plevy
Expert
Registered: Jul 8 2008
Posts: 80
You might try running it from the browser to see if the HTTP protocol is a match for a request/reply. Not sure if it is really possible to do that.

If you have mod_tsa running under apache it seems like that would be a good starting point to see what you are missing.

I can't really debug this via the forum. Your worry about packet size could be valid also. A network trace program should show you what is going by for the working and non-working cases which would hopefully shed some light on the problem.
Top
2009-03-24 00:53:51
#4
hoaxvn
Registered: Mar 23 2009
Posts: 10
I have the same problem. My Acrobat Professional 8.0 always says that "Timestamp signature property generation error-Verification error". Could you take a look at the decoded-Response to see if there is any problem with the certificate I use (Key Usage, Extended Key Usage, etc). The TSA certificate is issued by the windows certificate service of windows server 2003. The Root Certificate has been added into the trust list.

Thank you
Below is the timestamp response:

Offset| Len |LenByte|
======+======+=======+======================================================================
171| 661| 3| SEQUENCE :
175| 3| 1| CONTEXT SPECIFIC (0) :
177| 1| 1| INTEGER : 2
180| 10| 1| INTEGER : '114F706F000000000048'
192| 13| 1| SEQUENCE :
194| 9| 1| OBJECT IDENTIFIER : sha1withRSAEncryption [1.2.840.113549.1.1.5]
205| 0| 1| NULL :
207| 15| 1| SEQUENCE :
209| 13| 1| SET :
211| 11| 1| SEQUENCE :
213| 3| 1| OBJECT IDENTIFIER : commonName [2.5.4.3]
218| 4| 1| PRINTABLE STRING : 'MyCA'
224| 30| 1| SEQUENCE :
226| 13| 1| UTC TIME : '090324072330Z'
241| 13| 1| UTC TIME : '100324073330Z'
256| 59| 1| SEQUENCE :
258| 11| 1| SET :
260| 9| 1| SEQUENCE :
262| 3| 1| OBJECT IDENTIFIER : countryName [2.5.4.6]
267| 2| 1| PRINTABLE STRING : 'VN'
271| 14| 1| SET :
273| 12| 1| SEQUENCE :
275| 3| 1| OBJECT IDENTIFIER : organizationName [2.5.4.10]
280| 5| 1| PRINTABLE STRING : 'VNSec'
287| 28| 1| SET :
289| 26| 1| SEQUENCE :
291| 3| 1| OBJECT IDENTIFIER : commonName [2.5.4.3]
296| 19| 1| PRINTABLE STRING :
| | | 'VN TSA Singing Cert'
317| 159| 2| SEQUENCE :
320| 13| 1| SEQUENCE :
322| 9| 1| OBJECT IDENTIFIER : rsaEncryption [1.2.840.113549.1.1.1]
333| 0| 1| NULL :
335| 141| 2| BIT STRING UnusedBits:0 :
339| 137| 2| SEQUENCE :
342| 129| 2| INTEGER :
| | | 00C8951B5142E8C30D13FA0355639EB2BCAEA2C2DEA6D
| | | 6705310B0356A23261D0A048DAC298D7CC0DC917ABD41
| | | 85B20293813F4B4023220414C86F80C54BC14F112D176
| | | 10C65FA15827FD21F2F823299A56B8FAC6F7FC327E20D
| | | FAF3C980261E18CB66B5BF0B98AD6D6724AADC16FDB6E
| | | 330D9387047B61FDB9B6D191A54B03FFB
474| 3| 1| INTEGER : 65537
479| 353| 3| CONTEXT SPECIFIC (3) :
483| 349| 3| SEQUENCE :
487| 14| 1| SEQUENCE :
489| 3| 1| OBJECT IDENTIFIER : keyUsage [2.5.29.15]
494| 1| 1| BOOLEAN : 'FF'
497| 4| 1| OCTET STRING :
499| 2| 1| BIT STRING UnusedBits:6 :
| | | C0
503| 29| 1| SEQUENCE :
505| 3| 1| OBJECT IDENTIFIER : subjectKeyIdentifier [2.5.29.14]
510| 22| 1| OCTET STRING :
512| 20| 1| OCTET STRING :
| | | DDF4163C2B81BB1BB2FF25DA61432419436E41EF
534| 19| 1| SEQUENCE :
536| 3| 1| OBJECT IDENTIFIER : extKeyUsage [2.5.29.37]
541| 12| 1| OCTET STRING :
543| 10| 1| SEQUENCE :
545| 8| 1| OBJECT IDENTIFIER : timeStamping [1.3.6.1.5.5.7.3.8]
555| 31| 1| SEQUENCE :
557| 3| 1| OBJECT IDENTIFIER : authorityKeyIdentifier [2.5.29.35]
562| 24| 1| OCTET STRING :
564| 22| 1| SEQUENCE :
566| 20| 1| CONTEXT SPECIFIC (0) :
| | | 39B99C001D5116AB33E74E04445EB2817E51864
| | | 8
588| 97| 1| SEQUENCE :
590| 3| 1| OBJECT IDENTIFIER : cRLDistributionPoints [2.5.29.31]
595| 90| 1| OCTET STRING :
597| 88| 1| SEQUENCE :
599| 86| 1| SEQUENCE :
601| 84| 1| CONTEXT SPECIFIC (0) :
603| 82| 1| CONTEXT SPECIFIC (0) :
605| 38| 1| CONTEXT SPECIFIC (6) :
| | | 'http://w2k3thanhnt/CertEnroll/'
| | | 'MyCA.crl'
645| 40| 1| CONTEXT SPECIFIC (6) :
| | | 'file://\\w2k3thanhnt\CertEnrol'
| | | 'l\MyCA.crl'
687| 146| 2| SEQUENCE :
690| 8| 1| OBJECT IDENTIFIER : authorityInfoAccess [1.3.6.1.5.5.7.1.1]
700| 133| 2| OCTET STRING :
703| 130| 2| SEQUENCE :
706| 62| 1| SEQUENCE :
708| 8| 1| OBJECT IDENTIFIER : caIssuers [1.3.6.1.5.5.7.48.2]
718| 50| 1| CONTEXT SPECIFIC (6) :
| | | 'http://w2k3thanhnt/CertEnroll/w2k3th'
| | | 'anhnt_MyCA.crt'
770| 64| 1| SEQUENCE :
772| 8| 1| OBJECT IDENTIFIER : caIssuers [1.3.6.1.5.5.7.48.2]
782| 52| 1| CONTEXT SPECIFIC (6) :
| | | 'file://\\w2k3thanhnt\CertEnroll\w2k3'
| | | 'thanhnt_MyCA.crt'
Top
2009-04-02 16:20:24
#5
plevy
Expert
Registered: Jul 8 2008
Posts: 80
Again, the easiest thing might be to compare with a working timestamp. You can try http://www.edelweb.fr/cgi-bin/service-tsp to see what their timestamp looks like and compare with your cert.
Top